Under the new rules, public companies have to report on the impact of a material hack.
U.S. officials have publicly complained that tech companies have failed to sufficiently secure user accounts.
FBI officials last year estimated that the bureau has visibility into only a quarter of cyber incidents.